1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

458 Commits

Author SHA1 Message Date
Stefan Metzmacher
82929a4bdd s4:ldap_server: introduce a ldapsrv_call_destructor()
This makes sure that a call doesn't become an stale
member of the conn->pending_calls list.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:22 +02:00
Stefan Metzmacher
ace49db796 s4:ldap_server: use talloc_zero() in ldapsrv_init_reply()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:22 +02:00
Jeremy Allison
560c37524b s4: Add TALLOC_CTX * to register_server_service().
Use the passed in context from callers. Remove one
talloc_autofree_context().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-11 20:30:13 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Garming Sam
81f874974e ldap_server: Move a variable into a smaller scope
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2017-03-29 02:37:29 +02:00
Andrew Bartlett
d004196036 auth: Add hooks for notification of authentication events over the message bus
This will allow tests to be written to confirm the correct events are triggered.

We pass in a messaging context from the callers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
366f8cf090 auth: Log the transport connection for the authorization
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:27 +02:00
Andrew Bartlett
f4a4522d1f ldap_server: Log access without a bind
This can be over the privileged ldapi socket, or just as the implicit anonymous access

However, do not log for setting up StartTLS, or a rootDSE search.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Andrew Bartlett
70a115b310 ldap_server: Log authorization for simple binds
Existing comment is no longer relevant.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Andrew Bartlett
5f5756db71 ldap_server: Move code into authenticate_ldap_simple_bind()
This function is only called for simple binds, and by moving the mapping into
the function call we allow the unmapped values to be included in the
user_info and so logged.

We also include the local address and the remote address of the client
for future logging

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Andrew Bartlett
9ffdb84600 s4-ldap_server: Do not set conn->session_info to NULL, keep valid at all times
We need this to be valid, right up until a new session_info is created and
it is replaced.

We need this to have a valid value at all times, and we are still anonymous
until the new bind completes

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Andrew Bartlett
1cca9d6dce s4-ldap_server: Set remote and local address values into GENSEC
This will allow channel bindings and logging of the address values used during
authentication

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Andrew Bartlett
28e0c8d135 s4-ldap_server: Split gensec setup into a helper function
This makes the error handling simpler when we set more
details onto the gensec context.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Volker Lendecke
ae12111685 ldap_server: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-09 20:04:19 +01:00
Stefan Metzmacher
81ccdad9d0 s4:ldap_server: match windows in the error messages of failing LDAP Bind requests
This is important for some applications to detect the
NT_STATUS_PASSWORD_MUST_CHANGE condition correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-03 08:59:16 +01:00
Stefan Metzmacher
3a0b835408 s4:ldap_server: don't use gensec_want_feature(gensec_security, GENSEC_FEATURE_{SIGN,SEAL}) as server
They're always supported and using gensec_want_feature() on them would require
them in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:12 +02:00
Garming Sam
657e31450c schema: Remove unnecessary schema reload code
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-08 10:01:20 +02:00
Stefan Metzmacher
28f1af7e50 CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
dedba1f070 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
0ebe929810 s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
6e88639ed9 s4:ldap_server: add support for async notification requests
This is a simplified version that works with the current
dsdb_notification module that requires the caller to retry
periodically. We do that every 5 seconds or 100 microseconds
if we're forcing a retry.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-02-17 03:43:23 +01:00
Stefan Metzmacher
29e3fc1cff s4:ldap_server: make sure we only have one tstream_read_pdu_blob_send() on a connection
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-02-17 03:43:23 +01:00
Michael Adam
476672b647 dlist: remove unneeded type argument from DLIST_ADD_END()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-06 21:48:17 +01:00
Stefan Metzmacher
5a0c439eb5 s4:ldap_server: use LDAP_AUTH_METHOD_NOT_SUPPORTED define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-02-01 09:53:10 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Andrew Bartlett
374d73617d lib/tls: Add new 'tls priority' option
This adds a new option to the smb.conf to allow administrators to disable
TLS protocols in GnuTLS without changing the code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-07-20 03:08:26 +02:00
Kamen Mazdrashki
6214dbd574 s4-ldap: Pass on-wire transmitted control down the chain
Change-Id: Ic3a117f74e8a67c45584fdb520d92e4f0cb01c5e
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-08 03:00:41 +01:00
Volker Lendecke
f5efddb9ae lib: directory_create_or_exist() does not use "uid" parameter
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-07-28 22:04:13 +02:00
Jeremy Allison
463311422c s3/s4: smbd, rpc, ldap, cldap, kdc services.
Allow us to start if we bind to *either* :: or 0.0.0.0.

Allows us to cope with systems configured as only IPv4
or only IPv6.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-By: Amitay Isaacs <amitay@gmail.com>
Reviewed-By: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jun  7 01:01:44 CEST 2014 on sn-devel-104
2014-06-07 01:01:43 +02:00
Stefan Metzmacher
99e8bea5d5 s4:ldap_server: make use of gensec_update_ev()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:31 +01:00
Andrew Bartlett
7db0defdd2 ldapsrv: Pass struct ldb_result * rather than void *
Change-Id: Ic521cbfcf922cfe9e14c89116c097b777a86af40
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-on: https://gerrit.samba.org/35
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-03-14 12:53:11 +01:00
Stefan Metzmacher
f7883ae02a s4:lib/socket: simplify iface_list_wildcard() and its callers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10464
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Change-Id: Ib317d71dea01fc8ef6b6a26455f15a8a175d59f6
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar  7 02:18:17 CET 2014 on sn-devel-104
2014-03-07 02:18:17 +01:00
Garming Sam
4c9e0d5add Remove NT_STATUS_IS_OK_RETURN macro from the codebase.
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.

Change-Id: I27e7597f4078f0a6c96b5dadd12454fffe33e6b2
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-05 16:33:21 +01:00
Benjamin Franzke
0620c79d76 s4:dsdb/rootdse: Support netlogon request
This patch adds support for a netlogon ldap style request
over the tcp socket.  This is available since win2k3+ [1].

The automatic client join & configuration daemon "realmd" makes
use of this ability.
Realmd can now be used to join a computer to a samba 4 domain.
(See also:
https://lists.samba.org/archive/samba-technical/2013-October/095606.html)

Tested with:
ldapsearch -h samba-srv -x -b '' -s base "(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))" NetLogon

And compared the result in wireshark with cldap request issued by
examples/misc/cldap.pl.

[1]: http://wiki.wireshark.org/MS-CLDAP?action=recall&rev=8

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-11-11 23:00:54 +01:00
Stefan Metzmacher
966faef9c6 auth/gensec: treat struct gensec_security_ops as const if possible.
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:04 +02:00
Stefan Metzmacher
71c63e85e7 auth/gensec: introduce gensec_internal.h
We should treat most gensec related structures private.

It's a long way, but this is a start.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:02 +02:00
Stefan Metzmacher
a1aeeee430 s4:ldap_server: call irpc_add_name() at startup (bug #9905)
We should call irpc_add_name() when we start the ldap_server task.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-06-13 12:37:04 +02:00
Matthieu Patou
85259635d6 ldap-server: sscanf result was never used to mistyped var 2012-10-07 21:51:02 -07:00
Matthieu Patou
97d0ad0c5e ldap-server: remove warning for the ret not being used 2012-10-07 21:51:02 -07:00
Jeremy Allison
4c1762c3a8 Fix debug print warning message. 2012-07-24 00:09:46 +02:00
Matthieu Patou
1521bb95a7 dsdb-schema: do not reload more often than schema_reload_interval
Samba 4 use to try to reload the schema every time dsdb_get_schema was
called (which could be 20+ time per ldb request). Now we only reload at
most every xx seconds (xx being the value of dsdb:"schema_reload_interval"
 or 120). The timestamp of the last reloaded schema is kept in the
 dsdb_schema object. There is also a timestamp in the ldb_context, that
 is used by the LDAP server to know if it has to reload the schema after
 handling the request. This is used to allow that the schema will be
 immediately reload after a schemaUpdateNow request has been issued, the
 reload can't occur in the handling of the LDAP request itself because
 we have a transaction autostarted.
2012-06-22 23:16:04 -07:00
Andrew Bartlett
b8815dc23d lib/param: Create a seperate server role for "active directory domain controller"
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.

To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.

Andrew Bartlett
2012-06-15 09:18:33 +02:00
Alexander Bokovoy
2ddf89a2bc Introduce system MIT krb5 build with --with-system-mitkrb5 option.
System MIT krb5 build also enabled by specifying --without-ad-dc

When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.

Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
  * Samba 4 client libraries and their Python bindings
  * Samba 3 server (smbd, nmbd, winbindd from source3/)
  * Samba 3 client libraries

In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
2012-05-23 17:51:50 +03:00
Stefan Metzmacher
e425948323 s4:ldap_server: fix typo in DEBUG() message
metze
2012-04-03 17:47:31 +02:00
Andrew Bartlett
e7d5f0a357 gensec: move event context from gensec_*_init() to gensec_update()
This avoids keeping the event context around on a the gensec_security
context structure long term.

In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:33 +11:00
Matthias Dieter Wallnöfer
96a9f823ed s4:ldap_backend.c/"map_ldb_error" - handle errors similar to "PyErr_SetLdbError"
If the call was done using an error string ("add_err_string"), then use that one
without an additional "ldb_strerror()" for the definitive LDAP output.
Otherwise generate one using "ldb_strerror()".
This omits redundancies in the error string generation (twice the same
information by "ldb_strerror()").

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-10-11 08:42:07 +02:00
Andrew Tridgell
0d2d6c94d2 s4-ldap-server: disallow all modifies on global catalog port 2011-10-04 15:08:55 +11:00
Andrew Bartlett
dce23151e0 s4-ldap_server: Fix segfault on startup failure of ldap server 2011-09-27 22:43:06 +02:00
Andrew Tridgell
02872212eb s4-ldap-server: set the NO_GLOBAL_CATALOG control on non-GC operations
this makes us honor GC semantics on the two ldap ports
2011-09-22 10:00:49 +10:00
Jelmer Vernooij
292fe74971 credentials: Rename library to samba-credentials to avoid name clashes.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Aug 18 22:16:38 CEST 2011 on sn-devel-104
2011-08-18 22:16:38 +02:00